Security action verification in a computing network

ABSTRACT

Systems, methods, and software described herein provide for validating security actions before they are implemented in a computing network. In one example, a computing network may include a plurality of computing assets that provide a variety of different operations. During the operations of the network, administration systems may generate and provide security actions to prevent or mitigate the effect of a security threat on the network. However, prior to implementing the security actions within the network, computing assets may exchange security parameters with the administration systems to verify that the security actions are authentic.

RELATED APPLICATIONS

This application claims the benefit of, and priority to, U.S.Provisional Patent Application No. 62/169,047, entitled “SECURITY ACTIONVERIFICATION IN A COMPUTING NETWORK”, filed Jun. 1, 2015, which ishereby incorporated by reference in its entirety for all purposes.

TECHNICAL FIELD

Aspects of the disclosure are related to computing environment security,and in particular to verifying security actions prior to implementationin a computing network.

TECHNICAL BACKGROUND

An increasing number of data security threats exist in the moderncomputerized society. These threats may include viruses or other malwarethat attacks the local computer of the end user, or sophisticatedcyber-attacks to gather data and other information from the cloud orserver based infrastructure. This server based infrastructure includesreal and virtual computing devices that are used to provide a variety ofservices to user computing systems, such as data storage, cloudprocessing, web sites and services, amongst other possible services. Toprotect applications and services, various antivirus, encryption, andfirewall implementations may be used across an array of operatingsystems, such as Linux and Microsoft Windows.

In some implementations, security actions may be implemented by anadministration system for the computing environment or network. Thisadministration system may be responsible for identifying a threat,determining an appropriate action for the threat, and providing thesecurity action to the computing environment. However, althoughadministration systems may provide actions to prevent or mitigate theeffects of a security threat, improper security actions fromnon-approved sources may cripple the functionality of the network, andpossibly open paths for future security threats.

OVERVIEW

The technology disclosed herein provides enhancements for verifyingsecurity actions before they are implemented in a computing network. Inone implementation, a method of implementing security actions in acomputing network with a plurality of computing assets includes, in anadministration system, identifying a security action to be implementedin at least one computing asset of the computing network. The methodfurther provides, in response to identifying the security action,exchanging, between the administration system and the at least onecomputing asset, security parameters for the security action. The methodalso includes, in the at least one computing asset, determining whetherthe security action is approved for the at least one computing assetbased on the security parameters and, if the security action isapproved, initiating implementation of the security action.

BRIEF DESCRIPTION OF THE DRAWINGS

Many aspects of the disclosure can be better understood with referenceto the following drawings. While several implementations are describedin connection with these drawings, the disclosure is not limited to theimplementations disclosed herein. On the contrary, the intent is tocover all alternatives, modifications, and equivalents.

FIG. 1 illustrates a system to verify security actions prior toimplementing the security actions in a computing network according toone implementation.

FIG. 2 illustrates a method of verifying security actions prior toimplementing the security actions in a computing network according toone implementation.

FIG. 3 illustrates a timing diagram for verifying a security actionprior to implementing the security action in a computing networkaccording to one implementation.

FIG. 4 illustrates a system to verify and authorize security actionsprior to implementing the security actions in a computing networkaccording to one implementation.

FIG. 5 illustrates a credential interface to authorize security actionsprior to implementing the security actions in a computing networkaccording to one implementation.

FIG. 6 illustrates an operational scenario of implementing a securityaction in a computing network according to one implementation.

FIG. 7 illustrates an administration computing system to implementsecurity actions according to one implementation.

FIG. 8 illustrates an asset computing system to verify security actionsprior to implementing the security action according to oneimplementation.

TECHNICAL DISCLOSURE

The various examples disclosed herein provide for verifying a securityaction before it can be implemented within a computing network. Inparticular, computing networks, such as those used for corporations,partnerships, and other similar organizations, include a variety ofcomputing assets to provide desired operations. These computing assetsmay include end user computing systems, serving computing systems,virtual machines, firewalls, routers, switches, and other similarcomputing assets. During operation of the computing assets, securitythreats may be encountered that limit or otherwise hinder the operationof the network as a whole. Accordingly, an administrator or an automatedprocess associated with the network may be configured to identifysecurity actions to be taken in the environment, and initiateimplementation of the actions within the appropriate computing assets.

Here, the actions that are to be implemented within a computing networkare required to be verified before they can be applied to the computingassets. By verifying an action prior to implementation, only actionsthat have proper credentials may be applied to the system, limiting thepossibility of a crippling action to the computing environment. Inparticular, an administration system associated with the computingnetwork may be configured to identify a security action to beimplemented in one or more of the assets of the network. Once the actionis identified, assets associated with the action may be notified of theaction, and security parameters or credentials may be exchanged betweenthe administration system and the one or more assets to verify thesecurity action. After the security action is verified, the action maybe implemented within the network.

In some implementations, in exchanging the security credentials with theassets associated with the threat, the administration system may beconfigured to receive credentials, such as a username and password,associated with the particular asset. Once received, the credentials maybe supplied to the asset, where the asset may determine whether thecredentials are appropriate for the asset. If the credentials areappropriate, the asset may initiate application of the security action,however, if the credentials are not appropriate, the asset may block orprevent the action from being implemented on the asset. In someimplementations, in blocking the implementation of the action, the assetmay also transfer a notification to the administration system indicatingthat the credentials were not accepted. By requiring credentials foreach of the assets being applied with a security action, limitedpersonnel with credentials may implement security actions on particularassets. Further, rather than maintaining credentials in a centralizedlocation, such as the administration system, the administrators may relyon the end assets to maintain credential verification for each of thesecurity actions.

Referring now to FIG. 1, FIG. 1 illustrates a system 100 to verifysecurity actions prior to implementing the security actions in acomputing network according to one implementation. System 100 includesaction sources 110, administration system 120, and organization network130. Organization network 130 includes assets 140-143, which maycomprise end user computing systems, serving computing systems, virtualmachines, routers, switches, firewalls, or any other similar computingasset, including combinations thereof. Although illustrated with fourcomputing assets in the present example, it should be understood thatany number of computing assets may be implemented within a computingnetwork.

In operation, computing assets 140-143 provide various operations for anorganization. During the operation of the computing assets, the assetsmay be subjected to security threats from various sources, which mayinclude viruses, denial of service attacks, data retrieval attacks,ransomware attacks, or any other similar security threat. To counteractthe threat, administration system 120 may be communicatively coupled toorganization network 130, allowing an administrator or an automatedprocess to implement security actions limiting the effect of securitythreats within the environment. However, although the security actionsare created to assist in eliminating security threats, improper securityactions may limit the operations of organization network 130, or leavethe network open to other security threats.

Here, administration system 120 receives or identifies action 115 fromaction sources 110. This action may include an action to block aparticular internet protocol (IP) address, to remove a particularprocess from one or more assets, to segregate one or more assets fromother assets in the environment, or any other security action for acomputing network. Action 115 may be specified by an administrator oforganization network, may be retrieved from a database of actionsavailable to administration system 120, may be generated in response toidentifying a threat in the network by administration system 120, or maybe generated in any other manner. Once the action is specified,administration system 120 will notify the required assets of theupcoming security action, authenticate the security action, andimplement the action within the network.

To further demonstrate the operation of system 100, FIG. 2 is provided.FIG. 2 illustrates a method 200 of verifying security actions prior toimplementing the security actions in a computing environment. Asdepicted, method 200 includes, in administration system 120, identifyingsecurity action 115 to be implemented in organization network 130 (201).This security action may be generated by an administrator for thenetwork, may be retrieved from a database of security actions, may begenerated by an automated process in response to a threat (in some casesby administration system 120), or may be generated in any other similarmanner. Once the security action is identified, administration system120 notifies at least one asset in the computing network of the securityaction (202). For example, the security action may include blocking aparticular IP address from accessing all assets within organizationnetwork 130. Accordingly, administration system 120 may transfer anotification to assets 140-143 informing the assets that an action isdesired.

In addition to, and in some cases in place of, notifying the assets ofthe impending security action, method 200 further includes exchanging,between the administration system and the at least one asset, securityparameters for the security action (203). Based on the securityparameters, the assets may determine whether the security action isapproved for the particular assets (204). In some implementations, thesecurity exchange may include exchanging phrases or codes, which can beverified using keys on the administration system and the assets. Forexample, in response to being notified of a security action, the assetmay generate a code and transfer the code to the administration system.Once received, the administration system may apply a key to the code togenerate a response code, and transfer the response code back to theparticular asset. Once received from the administration system, theasset may compare the response code with an expected result to determinewhether the security action is approved for the asset. In some examples,the exchanged security parameters may include Secure Sockets Layerparameters, which is used to establish an encrypted link between twocomputing devices.

In another implementation, the security exchange may include thedelivery of a digital signature from the administration system to therequired assets. This digital signature allows the administration systemto provide assurances to origin, identity, and status of the securityaction, and may further provide informed consent from the associatedadministrator. Accordingly, when an action is required within thenetwork, an administrator at administration system 120 may select anaction, generating a signature for the selection that can then betransferred with the action to the corresponding network assets. Forexample, if an action were to be implemented on assets 140-141, theaction may be delivered to each of the assets with the requisitesignature to implement the action. If an action did not include thesignature, however, the assets may prevent or block the security actionfrom being implemented in the network, and may notify the administrationsystem that the action could not be implemented with the providedcredentials.

In some examples, the delivery of the digital signature or the securityparameters may include security credentials associated with theparticular assets. For example, an administrator may provide usernameand password information for each of the assets for the security action.Once provided, the credentials may be supplied to the computing assets,and processed to determine whether the action is permitted. Ifpermitted, the assets may initiate the implementation of the securityaction on the computing system. This may include configuring thesecurity action that was provided before, during, or after the securitycredentials, or may include transferring a notification to theadministration system requesting the security action.

Turning to FIG. 3, FIG. 3 illustrates a timing diagram 300 for verifyinga security action prior to implementing the security action in acomputing network according to one implementation. Timing diagram 300includes administration system 310 and assets 320-321, which arerepresentative of assets that can be implemented within a computingnetwork, such as an organization, corporation, and the like.

As illustrated, administration system 310 identifies a security actionto be implemented in computing assets 320-321. This action may includean action to block a particular IP address, prevent access to the assetsby a particular user, remove one or more processes from the assets,segregate the assets from other assets within the network, or any othersimilar security measure. Once the action is identified, administrationsystem 310 notifies assets 320-321 of the security action, which mayinclude delivering the particular security action to the assets. Afternotifying the assets of an impending security action, administrationsystem 310, and computing assets 320-321 may exchange securityparameters to ensure that the security action is valid. This exchangemay include an SSL exchange, a security passphrase exchange, a deliveryof an electronic signature to the computing assets, or any other similarexchange of security parameters to validate the action and/or the sourceof the action.

Based on the exchanged parameters, the assets may determine whether theparticular action is approved. If the action is not approved to beimplemented, no further action is required by the security assets. Incontrast, if the action is approved, a process may be initiated toimplement the particular action within the computing assets. Forexample, the action identified by administration system 310 may requirethat a particular process is removed from assets 320-321. Once theaction is identified by administration system 310, administration system310 may notify and exchange security parameters with the assets toverify the particular action and the identity of the approvingadministration device. Once verified, the action to remove the processmay be implemented in the assets.

In some implementations, the security action identified byadministration system 310 may comprise an action written in a unifiedsecurity language for all computing assets. This unified securitylanguage may comprise Python, C, C++, or some other language that can beused to define security actions across a plurality of assets. Althoughthe language allows actions to be taken across a plurality of assets ina computing environment, each of the assets may include a differenthardware or software configuration. Consequently, the security actionwritten in the unified security language may be required to betranslated into the necessary procedures to implement the action on theindividual assets. This translation may occur locally, at administrationsystem 310, or may occur in the target computing assets. For example, aunified command for FIG. 3 may include, “block IP address X on asset 320and asset 321.” Once defined, the hardware and software characteristicsfor assets 320-321 may be identified, and the action may be translatedinto the necessary procedures for implementing the action on assets320-321. Accordingly, the action that is transferred from theadministration system to the assets may include the unified language,allowing the assets to translate the action into the appropriateprocesses, or may include the specific processes for the individualasset.

FIG. 4 illustrates a system 400 to verify and authorize security actionsprior to implementing the security actions in a computing networkaccording to one implementation. System 400 includes action 415,administration system 420, and organization network 430. Administrationsystem 420 is used to provide credential interface 500, which may beprovided via a user interface console to an administrator of theorganization network or some other user interface element as part ofadministration system 420. Organization network 430 includes assets440-443, which are representative of computing assets, such as end usercomputing systems, serving computing systems, virtual machines, routers,switches, firewalls, or any other similar computing asset, includingcombinations thereof.

As described herein, when security threats are identified withinorganization network 430, an administration system, such asadministration system 420 is used to verify and authorize a securityaction to be taken against the threat. In the example of system 400,administration system 420 identifies a security action 415 to beimplemented in assets 440 and 442 of organization network 430. Thissecurity action may be provided manually by the administrator, or may beautomatically identified based on the type or identity of the threat inthe environment.

In some implementations, action 415 may be determined by administrationsystem 420 based on the type of threat identified within organizationnetwork. For example, if a threatening IP address were requestingcommunications with one or more of the assets in the environment,administration system 420 may identify the threat in the environment,and identify a security action to be taken against the threat, whereinthe response may include blocking future communications from the IPaddress, limiting communications with the IP address, or some othersimilar action. In the example of blocking an IP address, administrationsystem 420 may identify one or more firewall assets within organizationnetwork 430, and identify an appropriate action to configure thefirewalls to block the corresponding IP address. Once identified, acredential interface 500 may be supplied to an administrator of therequired assets, and permit the user to provide the credentialsassociated with the required assets.

Here, a user is provided with credential interface 500 corresponding tothe credentials for asset 440 and asset 442. Once the credentials aresupplied, the credentials are transferred or exchanged with assets 440and 442, and once authorized, the security action is implemented withinthe appropriate assets. In some implementations, the security action maybe transferred with the credentials, such that the action may beimplemented once approved credentials are supplied to assets 440 and442. In other implementations, credentials may be supplied to the asset,and the asset may notify administration system 420 whether thecredentials are accepted or declined. If the credentials are accepted,administration system 420 may transfer the action operations to theasset for implementation, however, if the credentials are not accepted,the action may not be transferred, as the action cannot be implementedwithout the appropriate credentials.

Referring now to FIG. 5, FIG. 5 illustrates a credential interface 500to authorize security actions prior to implementing the security actionsin a computing network according to one implementation. Credentialinterface 500 in FIG. 5 is representative of a sample interface that maybe supplied on an administration system permitting an administrator ofan organization network to authorize an action before it is implementedwithin the environment. In the present implementation, credentialinterface 500 includes security action description 510, firstcredentials 520, and second credentials 521.

As described previously in FIG. 4, an administration system isconfigured to identify security threats within organization network 430.Once the security threat is identified, administration system 420, whichmay include one or more computing systems as well as administrationconsoles, may determine a security action to be taken against thethreat. This action may be determined based on information, such as IPaddress information, URL information, process naming information, authorinformation, or any other describing features for the threat. Further,enrichment information may be determined from one or more databases orsources (such as websites) based on the describing features, wherein theenrichment information may include information about the IP address,URL, process name, or other similar information. For example, theenrichment information may provide information about whether the threatis malicious, whether the threat is safe, or whether the threat ispreviously unidentified. Once the describing features and enrichmentinformation is obtained, administration system 420 may identify asecurity action to be taken against the threat. This security action mayinclude blocking an IP address that is malicious, removing a maliciousprocess, monitoring an unknown IP address or process, or some otheroperation based on defined rules for the enrichment information anddescribing features.

Here, once the security action is defined, an administrator of thenetwork is provided with credential interface 500 to provide credentialsand implement a desired operation. In particular, credential interface500 includes security action description 510, first credentials 520corresponding to asset 440, and second credentials 521 corresponding toasset 442. Once the credential interface is provided, the administratormay provide the credentials, including at least a username and passwordfor assets 440 and 442, and transfer the credentials to thecorresponding computing assets. Once provided, the assets may determinewhether the credentials are accepted for the computing asset, andinitiate implementation of the desired security action.

As an illustrative example, security action description 510 may describeblocking a particular IP address for assets 440 and 442. Based on thedescription, and whether the administration approves of the providedaction, the user may provide first credentials 520 and secondcredentials 521. These credentials may be supplied to assets 440 and 442and, once supplied, may be processed to determine whether the block IPaddress security action is accepted. If accepted, the action may beimplemented as desired in the computing assets, however, if thecredentials are not accepted, the action may be blocked and preventedfrom being implemented on the desired computing assets. Further, in someexamples, if the credentials are not accepted, the asset may return anotification to the administration system indicating the security actioncould not be completed.

By permitting the administrator to provide the credentials for each ofthe assets, a single entity is no longer responsible for maintainingcredentials for each asset in organization network 430. In particular,by permitting each asset to maintain its own credentials, no centralinformation store can be breached by a malicious entity, permitting theentity access to each asset of network 430. Rather, each of the edgeassets maintains their own credentials, ensuring that no single point offailure can be used to access all of the assets.

Referring to FIG. 6, FIG. 6 illustrates an operational scenario 600 ofimplementing a security action in a computing network according to oneimplementation. Operational scenario 600 includes systems and elementsof system 400 of FIG. 4. In particular, operational scenario 600includes action 415, administration system 420, and organization network430.

In operation, at step 1, action 415 is identified by administrationsystem 420. This action may be developed by an administrator oforganization network 430, may be developed by an automated operationbased on a threat identified in organization network 430, or may beidentified in any other similar manor. In at least one implementation,administration system 420 may use descriptor information for a threatand enrichment information obtained from one or more resources todetermine the type of threat. Once determined, a security action may beprovided to an administrator to be implemented in organization network430.

In the present implementation, in response to the security action, whichis either generated by an automated process or from a userrecommendation, credential interface 500 is provided to anadministrator. In some implementations, the action may be generated andpresented to the user at the same device, however, in other examples, afirst administration device may be used to generate the action (such asa server) and provided to an administration console device (computer,smartphone, tablet, and the like) for administrator authorization. Oncethe credential interface 500 is provided, the administrator, at step 2,provides credentials that are received by administration system 420.These credentials may include, but are not limited to, a usernameassociated with the asset, a password associated with the asset, apassphrase for an asset, or some other similar credential. Once thecredentials are received, the credentials and the action may beprovided, at step 2 to asset 440 and asset 442.

Asset 440 and 442 may, in response to receiving the information fromadministration system 420, at step 4, verify that the credentialssupplied from the administration system approve the security action andinitiate the implementation of the security action on the asset. In someimplementations, rather than providing the action with the credentials,the assets may transfer a notification that the action is permitted.Once the notification is received, administration system 420 maytransfer the security action to assets 440 and 442.

Although illustrated in the example of FIG. 6 as providing thecredentials and the security action together, it should be understoodthat the credentials may be supplied first to assets 440 and 442 beforethe action is transferred. Once the credentials are received, assets 440and 442 may verify the request for the action using the credentials andtransfer a notification to administration system 420 for the securityaction. After being received by the assets, the assets may implement thedesired action.

In some examples, assets 440 and 442 may comprise assets from differenthardware developers or software manufacturers. Consequently, differentoperations may be required to implement a desired security action oneach of the assets. To provide the action across the various assets inthe environment, a unified programming language may be used, such that asingle action command can be translated and implemented across multipleassets or devices. This unified security language may comprise Python,C, C++, or some other language that can be used to define securityactions across a plurality of assets. This unified language may betranslated locally, at the administration system, or may occur in thetarget computing assets for a particular computing action. For example,a unified command for FIG. 6 may include, “block IP address X on asset440 and asset 442”. Once defined, the hardware and softwarecharacteristics for assets 440 and 442 may be identified, and the actionmay be translated into the necessary procedures for implementing theaction on the assets. Accordingly, the action that is transferred fromthe administration system to the assets may include the unifiedlanguage, allowing the assets to translate the action into theappropriate processes, or may include the specific operations for eachof the individual assets to implement the desired action.

FIG. 7 illustrates an administration computing system 700 to implementsecurity actions. Administration computing system 700 is representativeof a computing system that may be employed in any computing apparatus,system, or device, or collections thereof, to suitably implement theadministration systems described herein in FIGS. 1-6. Computing system700 comprises communication interface 701, user interface 702, andprocessing system 703. Processing system 703 is communicatively linkedto communication interface 701 and user interface 702. Processing system703 includes processing circuitry 705 and memory device 706 that storesoperating software 707.

Communication interface 701 comprises components that communicate overcommunication links, such as network cards, ports, radio frequency (RF)transceivers, processing circuitry and software, or some othercommunication devices. Communication interface 701 may be configured tocommunicate over metallic, wireless, or optical links. Communicationinterface 701 may be configured to use time-division multiplexing (TDM),IP, Ethernet, optical networking, wireless protocols, communicationsignaling, or some other communication format—including combinationsthereof. In particular, communication interface 701 communicates with aplurality of computing assets in a computing network to implementdesired security actions. Further, in some implementations,communication interface 701 may communicate with action sources, such asdatabases and websites, to retrieve requested security actions.

User interface 702 comprises components that interact with a user. Userinterface 702 may include a keyboard, display screen, mouse, touch pad,or some other user input/output apparatus. User interface 702 may beconfigured to receive administrator credentials associated with one ormore assets according to one implementation. However, user interface 702may be omitted in some examples.

Processing circuitry 705 comprises microprocessor and other circuitrythat retrieves and executes operating software 707 from memory device706. Memory device 706 comprises a non-transitory storage medium, suchas a disk drive, flash drive, data storage circuitry, or some othermemory apparatus. Operating software 707 comprises computer programs,firmware, or some other form of machine-readable processinginstructions. Operating software 707 includes action module 708, verifymodule 709, and provide module 710, although any number of softwaremodules may provide the same operation. Operating software 707 mayfurther include an operating system, utilities, drivers, networkinterfaces, applications, or some other type of software. When executedby circuitry 705, operating software 707 directs processing system 703to operate administration computing system 700 as described herein.

In particular, action module 708 directs processing system 703 toidentify a security action to be implemented within a computing network.This action may include an action to block a particular IP address inthe network, an action to remove a particular process, an action tosegregate one or more assets into a virtual local area network (VLAN),or any other security action within the environment. In identifying theaction, administration computing system 700 may be configured to receivethe action via user interface 702, may be configured to receive theaction from a database or second computing system, may be configured toidentify the action based on threat characteristics in the computingnetwork and/or enrichment information from external sources, or mayidentify the action in any other similar manner.

In response to identifying the action, verify module 709 directsprocessing system 703 to notify, via communication interface 701,relevant computing assets that a security action is to be implemented inthe network. Once notified, verify module 709 may exchange securityparameters with the relevant computing assets to verify the action and,in some examples, verify administration computing system 700. Thisverification may include an exchange of passphrases between theadministration computing system and the assets, an SSL verificationprocess between the administration computing system and the assets, adigital signature on the action that is sent to the assets, or any othersimilar verification process for the security action. In at least oneexample, the exchange may include transferring, via communicationinterface 701, username, passwords, and other similar information for anadministrator to the corresponding computing assets.

Before, during, or after the exchange of the security parameters,provide module 710 directs processing system 703 to transfer therequired action operations to the relevant computing assets. In someimplementations, the action processes may be transferred to the asset asthe notification for the impending action. However, in otherimplementations, the action processes may only be transferred once theverification is complete with the computing assets. In at least oneexample, provide module 710 may direct processing system 703 to wait fora verification approval notification from the affected assets prior totransferring the security action commands.

FIG. 8 illustrates an asset computing system 800 to verify securityactions prior to implementing the security action. Asset computingsystem 800 is representative of a computing system that may be employedin any computing apparatus, system, or device, or collections thereof,to suitably implement the computing assets described herein in FIGS.1-6. Asset computing system 800 may be an example of a serving computingsystem, an end user computing system, a switch, a router, or some othersimilar computing asset described herein. Computing system 800 comprisescommunication interface 801, user interface 802, and processing system803. Processing system 803 is communicatively linked to communicationinterface 801 and user interface 802. Processing system 803 includesprocessing circuitry 805 and memory device 806 that stores operatingsoftware 807.

Communication interface 801 comprises components that communicate overcommunication links, such as network cards, ports, radio frequency (RF)transceivers, processing circuitry and software, or some othercommunication devices. Communication interface 801 may be configured tocommunicate over metallic, wireless, or optical links. Communicationinterface 801 may be configured to use time-division multiplexing (TDM),IP, Ethernet, optical networking, wireless protocols, communicationsignaling, or some other communication format—including combinationsthereof. In particular, communication interface 801 may communicate withan administration system that provides security actions, and may alsocommunicate with one or more other computing systems within thecomputing network.

User interface 802 comprises components that interact with a user. Userinterface 802 may include a keyboard, display screen, mouse, touch pad,or some other user input/output apparatus. User interface 802 may beomitted in some examples.

Processing circuitry 805 comprises microprocessor and other circuitrythat retrieves and executes operating software 807 from memory device806. Memory device 806 comprises a non-transitory storage medium, suchas a disk drive, flash drive, data storage circuitry, or some othermemory apparatus. Operating software 807 comprises computer programs,firmware, or some other form of machine-readable processinginstructions. Operating software 807 includes action module 808 andverify module 809, although any number of software modules may providethe same operation. Operating software 807 may further include anoperating system, utilities, drivers, network interfaces, applications,or some other type of software. When executed by circuitry 805,operating software 807 directs processing system 803 to operate assetcomputing system 800 as described herein.

In particular, asset computing system 800 may operate in a computingnetwork with one or more other computing assets that provide desiredoperations for a corporation, a partnership, or some other type oforganization. During the operation of asset computing system 800, actionmodule 808 directs processing system 803 to identify, or receive viacommunication interface 801, a notification of an impending securityaction from an administration system. In response to identifying thesecurity action notification, verify module 809 directs processingsystem 803 to verify the security action and/or the source of thesecurity action before the action can be implemented within theenvironment. Once the action and source are identified, asset computingsystem 800 may initiate an operation to apply the security action.

In some implementations, asset computing system 800 may becommunicatively linked to an administration system that can applysecurity actions to various computing systems. Accordingly, when anaction request is received, which in some examples may include thecredentials for the action, asset computing system may verify that theaction is valid and also verify that the action originated from theadministration computing system. To verify the security actions, verifymodule 809 may be configured to provide an SSL exchange with therequesting action source, may be configured to exchange passphrases withthe action source, may be configured to check a digital signature withthe security action to authenticate the action, or may provide any othersimilar check on the security action and the action source, includingcombinations thereof. In at least one example, administrators of acomputing network may be associated with a digital signature, such as ausername and password, that can be used to approve security actions onone or more assets before they are implemented in the computing network.As a result, when a security action notification is received, the assetcomputing system may compare the signature provided with the action withan expected signature from the administrator. If the signature appearsvalid and the administrator is permitted to configure the asset, thenthe security action may be implemented within the environment. Incontrast, if the signature does not appear valid, the asset computingsystem may prevent the action from being implemented in the environment.

By performing the validation of the security action and, in someexamples, the verification of the administration system, computingassets may prevent improper security actions that may hinder theoperations of the computing network or make the network more susceptibleto security threats. For example, a computing system may provide anunauthorized security action to a computing asset, allowing a particularIP address improper access to the contents of the security asset. Here,rather than implementing the action, the asset may prevent the actionfrom being taken because the security action would not be verified usingthe methods described above. Once rejected, a flag or other notificationmay be created and provided to a defined administrator of the computingnetwork, notifying the administrator that an improper security actionwas attempted on an asset in the environment. Further, by providing theopportunity to each of the assets to verify the security actions, theverification information may be distributed in the computing network. Inparticular, rather than maintaining a centralized database withpermission information for administrator of a network, the end assetsmay be used to receive and verify actions before they are implemented,minimizing the opportunity of a breach on a large number of assets.

Returning to the elements of FIG. 1, action sources 110 andadministration system 120 may each comprise one or more server computingsystems, desktop computing systems, laptop computing systems, virtualmachines, or other similar computing systems. Action sources 110 andadministration system 120 may each comprise communication interfaces,network interfaces, processing systems, computer systems,microprocessors, storage systems, storage media, or some otherprocessing devices or software systems, and can be distributed amongmultiple devices. Action sources may include an administrator of thenetwork, and operation executing on administration system 120 to definea security action, an external system configured to provide securityactions to administration system 120, or some other similar actionsource.

Organization network 130 comprises a plurality of assets 140-143. Assets140-143 may include, but are not limited to, serving computing systems,user computing systems, virtual machines, networking elements, and othersimilar computing assets, including various combinations thereof.

Administration system 120 may communicate with action sources 110 andorganization network 130 using metal, glass, optical, air, space, orsome other material as the transport media. Administration system 120may communicate with action sources 110 and organization network 130using Time Division Multiplex (TDM), asynchronous transfer mode (ATM),IP, Ethernet, synchronous optical networking (SONET), hybrid fiber-coax(HFC), circuit-switched, communication signaling, wirelesscommunications, or some other communication format, includingimprovements thereof.

The included descriptions and figures depict specific implementations toteach those skilled in the art how to make and use the best option. Forthe purpose of teaching inventive principles, some conventional aspectshave been simplified or omitted. Those skilled in the art willappreciate variations from these implementations that fall within thescope of the invention. Those skilled in the art will also appreciatethat the features described above can be combined in various ways toform multiple implementations. As a result, the invention is not limitedto the specific implementations described above, but only by the claimsand their equivalents.

What is claimed is:
 1. A method of implementing security actions in acomputing network comprising a plurality of computing assets, the methodcomprising: in an administration system, identifying a security actionto be implemented in at least one computing asset of the computingnetwork; in response to identifying the security action, exchanging,between the administration system and the at least one computing asset,security parameters for the security action; in the at least onecomputing asset, determining whether the security action is approved forthe at least one computing asset based on the security parameters; andin the at least one computing asset and if the security action isapproved, initiating implementation of the security action.
 2. Themethod of claim 1 wherein the at least one computing asset comprises atleast one of a firewall, a serving computing system, an end usercomputing system, a virtual machine, or a router.
 3. The method of claim1 wherein exchanging, between the administration system and the at leastone computing asset, security parameters for the security actioncomprises: in the administration system, receiving security credentialsfor the at least one computing asset from an administrator of the atleast one computing asset; and in the administration system,transferring, for delivery to the at least one computing asset, thesecurity credentials.
 4. The method of claim 3 wherein the securitycredentials for the at least one computing asset comprise at least ausername and password for the at least one computing asset.
 5. Themethod of claim 1 wherein initiating implementation of the securityaction comprises transferring a notification to the administrationsystem requesting the security action.
 6. The method of claim 5 furthercomprising, in the administration system, receiving the notificationand, in response to the notification, transferring the security action,for delivery to the at least one computing asset, to be implemented onthe at least one computing asset.
 7. The method of claim 1 furthercomprising transferring the security action for delivery to the at leastone computing asset and wherein initiating implementation of thesecurity action comprises initiating implementation of the receivedsecurity action.
 8. The method of claim 1 further comprising, in the atleast one computing asset and if the security action is not approved,blocking the security action.
 9. The method of claim 8 furthercomprising, in the at least one computing asset and if the securityaction is not approved, transferring a notification to theadministration system indicating that the security action is notapproved.
 10. A system to implement security actions in a computingnetwork comprising a plurality of computing assets, the systemcomprising: an administration system configured to identify a securityaction to be implemented in at least one computing asset of thecomputing network and exchange security parameters for the securityaction with the at least one computing asset; the at least one computingasset configured to exchange the security parameters with theadministration system, determine whether the security action is approvedfor the at least one computing asset based on the security parameters,and if the security action is approved, initiate implementation of thesecurity action.
 11. The system of claim 10 wherein the at least onecomputing asset comprises at least one of a firewall, a servingcomputing system, an end user computing system, a virtual machine, or arouter.
 12. The system of claim 10, wherein the administration systemconfigured to exchange the security parameters with the at least onecomputing asset is configured to receive security credentials for the atleast one computing asset from an administrator of the at least onecomputing asset, and transfer for delivery to the at least one computingasset, the security credentials, and wherein the at least one computingasset configured to exchange the security parameters with theadministration system is configured to receive the security credentialsfrom the administration system.
 13. The system of claim 10 wherein theat least one computing asset configured to initiate implementation ofthe security action is configured to transfer a notification to theadministration system requesting the security action, and wherein theadministration system is further configured to receive the notificationand, in response to the notification, transfer the security action, fordelivery to the at least one computing asset, to be implemented on theat least one computing asset.
 14. The system of claim 10 wherein theadministration system is further configured to transfer the securityaction for delivery to the at least one computing asset, and wherein theinitiating implementation of the security action comprises initiatingimplementation of the received security action.
 15. A method ofimplementing security actions in a computing network comprising aplurality of computing assets, the method comprising: in anadministration system, identifying a security action to be implementedin at least one computing asset of the computing network; in theadministration system and in response to identifying the securityaction, receiving security credentials for the at least one computingasset; in the administration system, transferring the securitycredentials for delivery to the at least one computing asset; in the atleast one computing asset, receiving the security credentials; in the atleast one computing asset, determining whether the security action isapproved for the at least one computing asset based on the securitycredentials; and in the at least one computing asset and if the securityaction is approved, initiating implementation of the security action.16. The method of claim 15 wherein the at least one computing assetcomprises at least one of a firewall, a serving computing system, an enduser computing system, a virtual machine, or a router.
 17. The method ofclaim 15 wherein the security credentials for the at least one computingasset comprise at least a username and password for the at least onecomputing asset.
 18. The method of claim 15 wherein transferring thesecurity credentials for delivery to the at least one computing assetcomprises transferring the security credentials and the security actionfor delivery to the at least one computing asset, wherein receiving thesecurity credentials comprises receiving the security credentials andthe security action, and wherein initiating implementation of thesecurity action comprises implementing the received security action. 19.The method of claim 15 wherein initiating implementation of the securityaction comprises transferring a notification to the administrationsystem requesting the security action, and wherein the method furthercomprises, in the administration system, receiving the notification and,in response to the notification, transferring the security action fordelivery to the at least one computing asset to be implemented on the atleast on computing asset.
 20. The method of claim 15 wherein thesecurity action comprises a block internet protocol action, a removeprocess action, or a segregation action to segregate the at least onecomputing asset from other computing assets in the computing network.